Statistical and charting functions

You can use the statistical and charting functions with the
chart,
stats, and
timechart commands.

Support for related commands

The functions can also be used with related statistical and charting commands. The following table lists the commands supported by the statistical and charting functions and the related command that can also use these functions.

Functions that you can use to create sparkline charts are noted in the documentation for each function. Sparkline is a function that applies to only the chart and stats commands, and allows you to call other functions. For more information, see Add sparklines to search results in the Search Manual.

Using eval expressions in statistical and charting functions

In some of the examples for the statistical and charting functions you might see eval expressions.

Using an eval expression in a statistical or charting function is a shortcut for specifying an eval command that creates a field, followed by a stats command that references that field.

For example:

... | stats count(eval(status="404")) AS count_status BY sourcetype

Here's another example:

... | timechart eval(round(avg(cpu_seconds),2)) BY processor

When you use an eval expression with the timechart command, you must also use BY clause.

As a shortcut, you can use an eval <expression> in a statistical or charting function where you would normally use a <field>. One example of the eval <expression> syntax is:

How field values are processed

Most of the statistical and charting functions expect the field values to be numbers. All of the values are processed as numbers, and any non-numeric values are ignored.

The following functions process the field values as literal string values, even though the values are numbers.

count

distinct_count

earliest

estdc

estdc_error

first

latest

last

list

max

min

mode

values

For example, you use the distinct_count function and the field contains values such as "1", "1.0", and "01". Each value is considered a distinct string value.

The only exceptions are the max and min functions. These functions process values as numbers if possible. For example, the values "1", "1.0", and "01" are processed as the same numeric value.

Supported functions and syntax

The following table is a quick reference of the supported statistical and charting functions. This table lists the syntax and provides a brief description for each of the functions. Use the links in the table to learn more about each function examples, and to see examples.

Returns the number of occurrences where the field that you specify contains any value (is not empty. You can also count the occurrences of a specific value in the field by using the eval command with the count function. For example: count eval(field_name="value").

Returns the theoretical error of the estimated count of the distinct values in the field X. The error represents a ratio of the absolute_value(estimate_distinct_count - real_distinct_count)/real_distinct_count.

Returns the maximum value of the field X. If the values of X are non-numeric, the maximum value is found using lexicographical ordering. This function processes field values as numbers if possible, otherwise processes field values as strings.

Returns the UNIX time of the earliest (oldest) occurrence of a value of the field. Used in conjunction with earliest(x), latest(x), and latest_time(x) to calculate the rate of increase for an accumulating counter.

Returns the UNIX time of the latest (most recent) occurrence of a value of the field. Used in conjunction with earliest(x), earliest_time(x), and latest(x) to calculate the rate of increase for an accumulating counter.

Returns the per-second rate change of the value of the field. Represents (latest(X) - earliest(X)) / (latest_time(X) - earliest_time(X)) Requires the earliest(X) and latest(X) values of the field to be numerical, and the earliest_time(X) and latest_time(X) values to be different.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »